ANU data breach

In what was a truly terrible year for privacy and cybersecurity, it’s appropriate to end it pointing out the hypocrisy of the media and western governments, and particularly Australia.

Journalists at both News Corp and Nine have today cooperated with a coordinated international attack on “Chinese cyber-espionage”: at The Oz it’s “the Morrison Government has publicly condemned China for an economic espionage operation against Australia as the Trump administration announced it had charged the Chinese spies who were responsible”.

At the SMH, it’s “an extraordinary penetration that has compromised the data of hundreds of businesses” with the Morrison government’s cyber security spruiker Alastair MacGibbon declaring “this is audacious, it is huge, and it impacts potentially thousands of businesses globally. We know there are victims in Australia”.

According to CNN, the US prosecution of two Chinese hackers “was coordinated with 11 other nations: Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the United Arab Emirates and the United Kingdom”.

China is indeed a malicious online actor, devoting massive resources to commercial espionage and to accessing the national security secrets of other countries, as well as using the internet to attack external critics. Indeed, we’re almost certainly not being told, for reasons of “national security”, of more significant Chinese efforts to access the systems of our intelligence and defence agencies.

But at no point do the journalists, who so eagerly play the role of disseminators of the cyber security claims of western governments, ever explain to their readers that western intelligence agencies also devote massive resources not merely to “national security” cyber-espionage but to commercial espionage as well. Agencies like the NSA, GCHQ, the Australian Signals Directorate and ASIS engage in commercial espionage that is designed to benefit US, British and Australian companies.

And it’s not confined to Chinese or Russian companies. Every one is fair game. The ASD in 2013 spied on Indonesian trade negotiators embroiled in a dispute with the US and then passed on the intel to the US to help US companies. It didn’t matter that they were supposedly a defence signals intelligence agency. Nor that the surveillance involved breaching legal privilege. Our spooks, by and large, don’t give a damn about legal privilege — just ask ASIO, which breached the legal privilege of Witness K and Bernard Collaery to bug their discussions — signed off by Labor’s Mark Dreyfus. That, of course, was in relation to another example of commercial espionage, the illegal spying on Timor-Leste’s cabinet ordered by Alexander Downer to help Woodside.

This shouldn’t surprise — one of the major revelations of the Edward Snowden material was the extent to which the signals intelligence apparatus of the Five Eyes countries was used for commercial espionage, even against allies like France and Germany. In fact, so egregious was the use of commercial espionage that the review panel commissioned by Barack Obama in the wake of the Snowden revelations specifically recommended that surveillance of non-Americans outside the US “be directed exclusively at the national security of the United States or our allies” and “must not be directed at illicit or illegitimate ends, such as the theft of trade secrets or obtaining commercial gain for domestic industries”.

In 2015, the Chinese negotiated an agreement with the US to limit commercial espionage, but subsequent revelations have shown that both sides carefully worded the agreement so as to enable them to continue to conduct it. That is, the Chinese are now being criticised for doing what Five Eyes intelligence agencies have long done and continue to do.

But we’re worse than China. The basic method of Five Eyes signals intelligence agencies is to exploit weaknesses in widely used software, using specially developed hacking tools. This involves keeping about one in 10 (according to a former NSA official) software weaknesses they discover secret even from the companies that have developed that software, so they can exploit them. This leaves all users of that software at risk. Worse, both the NSA and the CIA have lost their troves of tools, allowing malicious online actors to attack companies around the world. It is almost entirely software developed by western companies — usually US companies — that is abused this way.

Still worse, of course, is that our global village idiot of a government, backed by the cowards of the ALP, not merely wants to have our intelligence agencies continue this approach, but even go beyond not telling software companies about flaws by requiring them to insert flaws to defeat encryption. This will purportedly only be used for serious crimes, but the history of our intelligence agencies shows it will be used for commercial espionage as well, if it can be.

And the losers will be everyone who relies on cyber-security. Which is to say, all of us. It’d be nice if journalists so keen to run the propaganda of western governments and intelligence agencies provided at least a little context.